Like everyone else in the UK and beyond, I read with increasing incredulity and anger at what has transpired at the Post Office and the impact this has had on the sub-postmasters, their families, and the communities that they served. The scandal has also brought many questions to the fore as to what management and the board knew and when.
One key aspect of the Post Office Horizon scandal that remains firmly in the spotlight are the risks associated with the Horizon system, a large, bespoke, older IT system. Was the board cognisant of the risks that Horizon posed to the Post Office? Were they aware of its history? The predecessor to Horizon, ICL Pathway was developed to computerise social security benefit payments through the Post Office, and was beset by problems1, was 3 years late and hundreds of millions of pounds over budget when the Benefits Agency pulled the plug. A political solution was found for the troubled Pathway system, and it was repurposed as Horizon. Hardly an auspicious beginning.
The Board should have been made aware that there was a substantial risk that the Horizon system may have been built on shaky software foundations.
The board should also have been made aware, that when the Post Office was spun out of Royal Mail, it inherited a long-term contract that came out of the failed Pathway project with a lot of political baggage, it was the first Private Finance Project in the IT Sector. There were disputes at the time as to whom picked up the bill of the failure of Pathway and a long-term contract to develop Horizon was agreed. The Post Office seems to be stuck with this system and associated contracts.
Complex, expensive legacy systems are not unique to the Post Office. The UK Government earmarked roughly half its IT budget in 2021 for keeping legacy systems running. That was over £2.3bn at the time and was projected to go up to as much as £22bn over the following 5 years on obsolete systems2.
But it is not just government departments or state-owned enterprises like the Post Office that are struggling with legacy systems. Banks, insurance companies and other financial institutions also have significant exposure to this area. And the issue is not just cost. The Dutch insurer Nationale Nederlanden (part of NN Group NV) has had to coax programmers of older computer languages like Cobol out of retirement as it can no longer recruit enough of these through traditional recruitment means3. It went so far as to say that there was a risk the core payment system in the country could fail if this shortage of programmers was not addressed structurally.
The question for directors and boards is not just whether they are ware that they have legacy systems, but whether the associated risks have been adequately mapped. Are these systems reliable? What is their downtime? Does the company or its suppliers have the resources both in terms of funds and skilled manpower to keep these old systems running? Does the company have a concrete, costed plan to phase out legacy systems? What are the costs and risks of replacing these systems with more up to date ones?
Over reliance on a single supplier can be hard to avoid – think of Microsoft Office. There are alternatives but switching would be very disruptive, and in many cases, very unpopular by those who have invested a lot of time and effort to become proficient at using or maintaining these systems. The same goes for switching ERP system providers. Nevertheless, boards should insist the company’s CTO has plans in place for terminating contracts for poor performance or other commercial considerations and such plans should also contain the costs and technical practicalities associated with moving to another supplier.
It may well be that for reasons outside of the control of the current board and management, that like the Post Office you have inherited a legacy system that may prove costly, disruptive, and risky from a business continuity perspective to change. The company needs to be open about such business-critical risks and how it is managing this with its suppliers and other third parties.
Whilst we await further evidence to the parliamentary inquiry to provide more answers, we have already drawn some general lessons for boards and directors around asking the right questions, risk management, incentivisation, culture, speaking up and KPIs -see “Horizon scandal: seven lessons for boards.”
1 https://www.independent.co.uk/news/business/icl-stumbles-on-pathway-to-hell-1092947.html
2 https://www.bbc.co.uk/news/uk-politics-58085316
3 https://fd.nl/tech-en-innovatie/1503432/betalingsverkeer-draait-op-computertaal-die-bijna-niemand-meer-kent-we-zien-een-ramp-aankomen